End-of-Life (EoL)
Downgrade from Panorama 8.0
Procedure on how to downgrade from Panorama 8.0 to Panorama
7.1.
Panorama 8.0 introduced enhanced logging capabilities.
However, this format is not backwards compatible with Panorama or
Log Collectors running a release earlier than Panorama 8.0. Before
you downgrade Panorama, Log Collectors, and firewalls, use the following
workflow to first migrate logs to the pre-PAN-OS 8.0 log format.
Then, downgrade firewalls before you downgrade Log Collectors and
Panorama running a Panorama 8.0 release to an earlier feature release.
This procedure works for both Panorama managing a local Log Collector
and managing one or more Dedicated Log Collectors.
Review the Palo Alto Networks Compatibility Matrix to
confirm that the firewalls and appliances you intended to downgrade
are compatible with PAN-OS 7.1. For example, PA-220, PA-800 Series,
PA-5200 Series and some VM-Series firewalls are not supported on
any release earlier than PAN-OS 8.0 and you cannot manage these
firewalls from Panorama after you downgrade Panorama to Panorama
7.1. For the firewalls and appliances that you can downgrade, you
should also review the Upgrade/Downgrade Considerations to ensure
that you account for all features and configuration settings that
will be different or unavailable after you downgrade.
Migrating
logs is not a required step. If you do not need to access your existing
log data, or are planning to upgrade back to a Panorama 8.0 release
soon, then you can avoid migrating your logs. However, if access
to previous log data is required, continue with the log migration
task. Before you begin this downgrade, schedule a maintenance window
that can accommodate the log migration task, which takes approximately
24 hours for each 2TB of data, during which you cannot query or
search logs, generate reports, or push configuration changes to
Log Collectors undergoing migration. The downgrade workflow involves
first upgrading your Panorama and Log Collectors to Panorama 8.0.2
before you migrate logs and downgrade Log Collectors or Panorama.
If the Log Collectors aggregate logs from firewalls running PAN-OS
8.0, you must also downgrade those firewalls to the same or an earlier
release than the release version to which you are downgrading Panorama.
- Save a backup of the Panorama and managed devices configuration files.
- Export Panorama and device configuration snapshot().PanoramaSetupOperations
- Save the exported .tgz file to a location external to Panorama, Log Collectors, or firewalls. You can use this backup to restore the configuration if you experience problems that cause you to start over.
- (Panorama and Log Collectors running Panorama 8.0 or 8.0.1 only) Upgrade Panorama and Log Collectors to Panorama 8.0.2 or later release.Panorama 8.0 introduced a new log format that previous releases do not support. However, the ability to migrate the log format was introduced in Panorama 8.0.2. As a result, you will first need to upgrade the software to Panorama 8.0.2 from an 8.0 or 8.0.1 release before migrating the log format and software to Panorama 7.1.Use the following procedures to upgrade Panorama and Log Collectors to Panorama 8.0.2 or later release as needed:
- Save a backup of the Panorama and managed devices configuration files.
- Export Panorama and device configuration snapshot().PanoramaSetupOperations
- Save the exported .tgz file to a location external to Panorama, Log Collectors, or firewalls. You can use this backup to restore the configuration if you experience problems that cause you to start over.
- Downgrade each firewall running a PAN-OS 8.0 release.If downgrading more than one firewall, streamline the process by having each firewall-specific PAN-OS 7.1 image downloaded to Panorama before you start downgrading. For example, to downgrade your PA-200, PA-3050, and PA-5060 firewalls to PAN-OS 7.1, download thePanOS_700-7.1.0,PanOS_3000-7.1.0, andPanOS_5000-7.1.0images.Panorama requires that all firewalls are running the same or an earlier PAN-OS release. Thus, before you can downgrade Panorama, use and repeat the appropriate tasks below according to your environment to downgrade all managed firewalls:
- Check Nowfor available images ().PanoramaDevice DeploymentSoftware
- Locate the PAN-OS 7.1 image for each model or series of firewalls you intend to downgrade. If the image is not already downloaded, thenDownloadit.
Non-HA FirewallsClickInstallin the Action column for the PAN-OS 7.1 version, select all the firewalls you intend to downgrade, selectReboot device after install, and clickOK.Active/Active HA Firewalls- ClickInstall, disable (clear)Group HA Peers, select either of the HA peers, selectReboot device after install, and clickOK. Wait for the firewall to finish rebooting before you proceed.
- ClickInstall, disable (clear)Group HA Peers, select the HA peer that you didn’t update in the previous step, selectReboot device after install, and clickOK.
Active/Passive HA FirewallsIn this example, the active firewall is named fw1 and the passive firewall is named fw2:- ClickInstallin the Action column for the appropriate update, clearGroup HA Peers, select fw2, selectReboot device after install, and clickOK.
- After fw2 finishes rebooting, verify fw1 (widget) that fw2 is still the passive peer (the Local firewall state isDashboardHigh Availabilityactiveand the Peer-fw2 ispassive).
- Access fw1 andSuspend local device().DeviceHigh AvailabilityOperational Commands
- Access fw2 (widget) and verify that the Local firewall state isDashboardHigh Availabilityactiveand the Peer firewall issuspended.
- Access Panorama, select, clickPanoramaDevice DeploymentSoftwareInstallin the Action column for the appropriate update, clearGroup HA Peers, select fw1, selectReboot device after install, and clickOK. Wait for fw1 to finish rebooting before you proceed.
- Access fw1 (widget) and verify that the Local firewall state isDashboardHigh Availabilitypassiveand the Peer (fw2) isactive.If you enabled preemption in the Election settings (), then fw1 will be reinstated as the active peer after reboot.DeviceHigh AvailabilityGeneral
- Before downgrading a Log Collector, disable log forwarding to that Log Collector to avoid losing the log data during migration.Make sure to not push the configuration changes to any device group or template. This will apply the new IP addresses to the devices, and log forwarding will continue.You will need to temporarily disable log forwarding to avoid data loss and avoid putting unnecessary stress on devices undergoing log migration. Logs generated during the migration will be buffered on the firewall, and forwarded to the designated location once log forwarding is enabled.Make sure to keep track of the original IP addresses that will be edited to disable log forwarding. You will need to restore these IPs to re-enable log forwarding.For Panorama in Panorama Mode:
- Selectand selectPanoramaSetupInterfacesManagement.
- Change theIP Addressto different routable IP address and clickOK.
- If a dedicated port on Panorama is used for log forwarding, select the port and disable (clear)Device Management and Device Log Collection. Repeat this step for all dedicated ports used for log forwarding.To quickly identify if a dedicated port is used for log forwarding, refer to the Services Enabled column and confirm thatDevice Management and Log Collectionis listed.
- Commit to Panorama. Do not push the configuration change to devices, as it will push the new Management IP address to the firewalls and log forwarding will continue.
- Log back in to Panorama using the new IP address.
- SelectPush to DevicesandEdit Selections. You will need toDeselect All Device GroupsandTemplates, andSelect All Collector Groups. ClickOKandPush.
For Panorama with logs forwarded to Dedicated Log Collectors undergoing downgrade:- Select, select a Dedicated Log Collector that will undergo downgrade from Panorama 8.0 and selectPanoramaManaged CollectorsInterfaces.
- SelectManagementand change theIP Addressto a different routable IP address and clickOK.
- If a dedicated port on Panorama is used for log forwarding, select the port and disable (clear)Device Management and Device Log Collection. Repeat this for all dedicated ports used for log forwarding.To quickly identify if a dedicated port is used for log forwarding, refer to the Services Enabled column and confirmDevice Management and Log Collectionis listed.
- ClickOKto exit the configuration screen andCommit to Panorama.
- SelectPush to DevicesandEdit Selections.You will need toDeselect All Device GroupsandTemplates, andSelect All Collector Groups. ClickOKandPush.
- Migrate existing logs to the pre-8.0 format so Panorama and Log Collectors can read log data after the downgrade.You cannot pause or stop the migration after you begin. Disrupting the migration will cause some or all log data to become inaccessible. If the log migration is interrupted for any reason, repeat this step to restart the migration process. The migration will start anew, and not pick up from the point where the disruption occurred.Migrating your logs is not a required step. If you do not need to access your existing logs, or are planning to upgrade back to Panorama soon, then avoid migrating your logs. Existing log data will be accessible again once Panorama and Log Collectors have been upgraded back to an 8.0 or later release. However, if access to your previous logs is required, continue with the log migration task.During the migration, you cannot search within or query logs or generate reports and Panorama and Log Collectors cannot receive any new logs.
- Migrate logs to the pre-8.0 format using the commands appropriate for your environment:
- On Panorama with a local Log Collector or on a Dedicated Log Collector:
request logdb downgrade- On Panorama for each Collector Group:
request logdb downgrade collector-group<collector-group-name>
- Monitor the status of the log migration.If you decide that you would like to end the log migration and continue with downgrade, you will need to gracefully power down the Panorama or Log Collector to avoid any data inconsistencies or data corruption. Alternatively, you can continuing to Step Downgrade each Log Collector running Panorama 8.0. to downgrade while the migration is running. This will ensure that the appliance is powered down gracefully. Please note that not all data will have been migrated, meaning that only some data will be available upon downgrade.The migration takes approximately 24 hours for each 2TB of data. You can monitor progress during the downgrade process.You can continue to push configuration changes to your managed firewalls during the migration. You cannot push configuration changes to a Log Collector that is undergoing a log format migration.
- Check the status of the migration:
- On Panorama with a local Log Collector or on a Dedicated Log Collector:
request logdb downgrade-in-progress- On Panorama for each Collector Group:
request logdb downgrade-in-progress<collector-group-name>
It takes roughly 30-40 minutes after you start the migration before these commands display an output. When they do display output, the result isLogger downgrade in progressif the migration is still in progress. If the migration is finished (or was interrupted or was not started), the command displaysNo logger downgrade is in progress. - Downgrade each Log Collector running Panorama 8.0.
- Check Nowfor available images ().PanoramaDevice DeploymentSoftware
- Locate the Panorama 7.1 image. If the image is not already downloaded, thenDownloadit (Action column).
- After the download completes,Installthe image on each Log Collector running Panorama 8.0. SelectReboot device after installto automatically reboot the device when the upgrade has completed.
- Downgrade Panorama.
- Check Nowfor available images ().PanoramaDevice DeploymentSoftware
- Locate the Panorama 7.1 image. If the image is not already downloaded, thenDownloadit.
- After the download completes,Installthe image on Panorama.
- Reboot Panorama if the downgrade requires that:
- If prompted to reboot, clickYes. If you see aCMS Loginprompt, press Enter without typing the username or password. When the Panorama login prompt appears, enter the username and password you set during initial configuration.
- If you are not prompted to reboot, selectand clickPanoramaSetupOperationsReboot Panoramain the Device Operations section.
- Re-enable log forwarding from the firewalls to Log Collectors.If you disabled log forwarding in Step Before downgrading a Log Collector, disable log forwarding to that Log Collector to avoid losing the log data during migration., you will need to re-enable log forwarding once the downgrade has completed for Panorama and Log Collectors. All logs that would have been sent during the procedure will be forwarded to the appropriate Log Collector.For Panorama in Panorama Mode:
- Selectand selectPanoramaSetupInterfacesManagement.
- Change theIP Addressback to the original IP address.
- If a dedicated port on Panorama is used for log forwarding, select the port and enableDevice Management and Device Log Collection. Repeat this for all dedicated ports used for log forwarding.
- Commit to Panorama.
- Log back in to Panorama using the original IP address.
- SelectPush to DevicesandEdit Selections. You will need toDeselect All Device GroupsandTemplates, andSelect All Collector Groups. ClickOKandPush.For Panorama with logs forwarded to Dedicated Log Collectors undergoing downgrade:
- Select, select a Dedicated Log Collector that underwent downgrade from Panorama 8.0 and selectPanoramaManaged CollectorsInterfaces.
- SelectManagementand change theIP Addressback to the original IP address and clickOK.
- If a dedicated port on Panorama is used for log forwarding, select the port and enableDevice Management and Device Log Collection. Repeat this for all dedicated ports used for log forwarding.
- ClickOKto exit the configuration screen andCommit to Panorama.
- SelectPush to DevicesandEdit Selections. You will need toDeselect All Device GroupsandTemplates, andSelect All Collector Groups. ClickOKandPush.
Recommended For You
Recommended Videos
Recommended videos not found.